sepolicy: Allow recovery to alter /

Gabriele M · Michael Bestas · commit 274193692cc1 · 2020-12-08T17:55:42.000+02:00
This is needed for /etc/fstab, /adb_keys and volmgr

Change-Id: I53332a57ce7879d7ba63c4ea3e27add01f5a3a90
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
@@ -490,8 +490,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
 neverallow * exec_type:dir_file_class_set mounton;
 neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+# Nothing should be writing to files in the rootfs, except recovery.
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
diff --git a/public/domain.te b/public/domain.te
@@ -490,8 +490,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
 neverallow * exec_type:dir_file_class_set mounton;
 neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+# Nothing should be writing to files in the rootfs, except recovery.
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
